United States Patent 

Wobber et al. 



[19] 



I 



nil 



US005235642A 

[li] Patent Number: 
[45] Date of Patent: 



5,235,642 
Aug. 10, 1993 



[54J ACCESS CONTROL SUBSYSTEM AND 

METHOD FOR DISTRIBUTED COMPUTER 
SYSTEM USING LOCALLY CACHED 
AUTHENTICATION CREDENTIALS 

[72] Inventors: Edward Wobber, Menlo Park; Martin 
Abadi, Palo Alto; Andrew Birreil, 
Los Altos, all of Calif.; Butler 
Lampson, Cambridge, Mass. 

[73] Assignee: Digital Equipment Corporation, 
Maynard, Mass. 

[21} Appl. No.: 917,767 

[22] Fileb: Jul. 21, 1992 

[51] Int b.5 ; H04K 1/00 

[52] U.S. CI 380/25; 380/4 

[58] Field of Search 380/23, 25, 4 

[56] References Cited 

U.S. PATENT DOCUMENTS 

4,677,552 6/1987 Sibley 380/23 

4,847,902 7/1989 Hampson 380/25 

4,941,176 7/1990 Matyas et al 380/25 

5,032,979 7/1991 Hecht et al 380/23 

5,081,678 1/1992 Kaufman et al 380/25 

5,144,659 9/1992 Jones 380/23 

Primary Examiner — David Cain 

Attorney, Agent, or Firm — Flehr, Hohbach, Test, 

Albritton & Herbert 



[57] 



ABSTRACT 



^110 



A distributed computer system has a number of comput- 
ers coupled thereto at distinct nodes. The computer at 
each node of the distributed system has a trusted com- 
puting base that includes an authentication agent for 
authenticating requests received from principals at 
other nodes in the system. Requests are transmitted to 
servers as messages that include a first identifier pro- 
vided by the requester and a second identifier provided 
by the authentication agent of the requester node . Each 
server process is provided with a local cache of autEen - 
tication data that identifies requesters whose previou s 
r equest messages have been authenticated. When a re^ 
quest is received, the server checks the request's fir sT 
a nd second identifiers against the entries in its loca l 
cache. If there is a match, then the request is known to 
be authent ic. Otherwise, the server node's authent ica- 
t ion agent is called to obtain authentication credenti als 
from the requeste r's node to authe nticate the req uest 
messag ed! he principal identifier of the requester and 
the received credentials are stored in a local cache by 
the server node's authentication agent. The server pro- 
cess also stores a record in its local cache indicating that 
request messages from the specified requester are 
known to be authentic, thereby expediting the process 
of authenticating received requests. 

9 Claims, 5 Drawing Sheets ' 
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known to be authenic, without having to obtain authen- 

ACCESS CONTROL SUBSYSTEM AND METHOD t ication credentials from the requesters node , because 

FOR DISTRIBUTED COMPUTER SYSTEM USING the authentication agents guarantee authenticity of such 

LOCALLY CACHED AUTHENTICATION request messages. 

CREDENTIALS 5 If the identifier in a request message does not match * J - - 

any of the gntr~ ™ «"vim "^ al cache, then th e 1 ^ * a DnBi/v^S 

The present invention relates generally to controlling server node's authentication agent is called to obtai n * U p • 

access to computer resources in a distributed computer authentication credentials from the requester's node to *£&t Iflife 

system, and particularly to apparatus and methods for a utKenticate the request message . Upon receiving the 

making such access control systems more efficient by 10 required credentials from the requester node's authenti- 

locally caching in each computer authentication ere- cation agent, the principal identifier of the requester and 

dentials for principals requesting use of that computer's the received credentials are stored in a local cache by 

resources. the server node's authentication agent. The server pro- 

t> a rvrB m run nw tuc iMvcwnnw cess ^ stores a record in its local cache indicating that 

BACKGROUND OF THE INVENTION 15 request messages from ^ specified requeste ? « 

Computer security systems are often based on the known to be authentic, thereby expediting the process 

basic access control model, which provides a founda- of authenticating received requests, 

tion for secrecy and integrity security procedures. See, A further optimization is that the server process loca l 

for example, the 1974 article by Butler Lampson, cache is us ed to store a list nf the nhjprt HrewuLgnntmi 

*'ACM Operating System Reviews," Vol. 8, No. 1, 20 list entries previously satisfied by each requeste r, 

January 1974, pp. 18-24. The elements of this model t hereby enabling the server process to expedite g ranting 

are: access_to_Drev iously_accessed objects. 

Objects, which are resources such as files, devices, or __ _„ ^„ „ . . „ 

processes. BRIEF DESCRIPTION OF THE DRAWINGS 

Requests to perform operations on objects. 25 Additional objects and features of the invention will 
Sources for requests, which are principle be more readily apparent from the following detailed 
A reference monitor that examines each request for description and appended claims when taken in con- 
access to a specified object and decides whether to junction with the drawings, in which: 
grant it. FIG. 1 is a block diagram a distributed computer 
The reference monitor bases its decision on the ob- 30 system with a trusted naming service for storing secure 
ject, the principal making the request, the operation in data shared by the members of the system, 
the request, and a rule that says what principals may FIGS. 2 and 3 are block diagrams of one node of the 
perform that operation. It should be understood that distributed computer system shown in FIG. 1. 
operation of the reference monitor is separate and dis- FIG. 4 is a block diagram of two computers, one 
tinct from other security issues, such as whether a re- 35 having a requester process that is requesting access to a 
questor is who he/she/it claims to be. That type of server process in the second computer, 
security is typically provided by using encryption and FIGS. 5A and 5B schematically depict an Authenti- 
digital signature techniques, sometimes called authenti- cation ID table and Channel Assignment Table main- 
cation, as will be understood by those skilled in the art. tained by authentication agents in the preferred embodi- 
The present invention is directed at a technique for 40 ment of the present invention, 
making authentication of requesters more efficient. FIG. 6 schematically represents a data packet. 

In general, in most prior art systems authenticating FIG. 7 schematically depicts a "local cache" of au- 

each request by a requester requires digitally signing the thentication data maintained by authentication agents in 

request, as well as an exchange of information called the preferred embodiment of the present invention, 

"credentials" between the requester and the server to 45 FIG. 8 schematically depicts a local cache of authen- 

enable the server to authenticate the digital signature on tication data maintained on behalf of each server pro- 

the request. The authentication process can impose cess in the preferred embodiment of the present inven- 

signiftcant overhead on the operation of distributed tion. 

computer systems, especially when the number of re- FIG. 9 is a block diagram representing an access 

quests transmitted between nodes is high. 50 control list 

qi tvtm advof THc timvpntthw FIG ' 10 " a flow chart of authentication process 

SUMMARY OF THE INVENTION performed by the authentication agents associated with 

In summary, the present invention is a security sys- a requester and a server, 

tem governing access to objects in a distributed com- nrcr>DTimAM r\<c rur BDcmuDcn 

puter system. The computer at each node of the distrib- 55 D^CRlI^l^ OF THE PREFERRED 

uted system has a trusted computing base that includes EMBODIMENT 

an authentication agent for authenticating requests re- Referring to FIG. 1, the present invention is a secu- 

ceived from principals at other nodes in the system. rity system and method which typically operates in the 

Reques ts arp trans mitted to servers as messages tha t context of a distributed computer system 100 having a 

mcl ude a first iden tifier (called an Auth ID) provided 60 set of computers 102-1 to 102-N interconnected by a 

]6v~~the requester and a secon d identifier provided local or wide area network 110 or some other communi- 

(called the subchannel vdue)^b y,the^authentication cations medium. Each of these computers 102 is said to 

a gent of the te auestex jiode.Xach server process has a n be located at a distinct node of the distributed computer 

associated local cacb*» fhat "*«rtifies-gequesi ers who se system 100. 

9r©v*0u& feiJ^* previous re quest messag es have been authentica ted. 65 For the purposes of this document, we assume that 

* ^ >YneiL*_req uest is received, the server checks the r e- the nodes are connected to each other by wires that are 

qu est's first and second identifiers against the entri es in not physically secure. In the preferred embodiment, 

its local cache. IfTReTe-Js.a jiatch^then.trie requesU s shared key encryption is used to secure channels be- 
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tween the nodes of the distributed system, and these 
channels are then multiplexed to obtain all the other 
channels needed by the network. Since the operating 
system at each node must be trusted anyway, using 
encryption at a finer grain than this (e.g., between pro- 
cesses) is not necessary. Alternately, public key encryp- 
tion techniques could be used to secure the channels 
between nodes, although public key encryption is usu- 
ally much slower than shared key encryption. 

Each computer 102 contains the standard computer 
system components, including a data processing unit 
(CPU) 112, system bus 114, primary (random access) 
memory 116, secondary storage 118 (e.g., magnetic or 
optical disks), virtual memory manager 120, a user inter- 
face 122 (e.g., keyboard, monitor and printer) and net- 
work controller 124 for coupling the computer 102 to 
the network 110. A clock circuit 126 or equivalent 
mechanism provides each computer 102 with time val- 
ues (used by the security apparatus discussed below). 



tion, decryption, and digital signatures and the like are 
not the subject of this document. These topics are 
widely discussed in the computer security literature. 
The present invention primflijly concerns the authenti- 
5 c ation agent 134 and reducing the exchange of cred en- 
t ials associated with authenticating messages sen Tbe- 
twee n requesters and servers on di fferent nodes^f the 
distributed computer systenT 
For the purposes of FIG. 3, a jrocess Alin node 
10 102-2 has been labelled "requester" becau se j f is sends a 
request to one of the server processes Bl to BN op node 
1 02-1. However. Jt should be noted that more generally 
the req uester can be a principal u sing any""ofte of the 

computers in ine distribu ted svsTenT 

15 A principal is Herein defined to be the source of a 
request or assertion. Typically, one thinks of a principal 
as a person, or a machine acting on behalf of a person. 
However, processes many layers removed from human 
direction, such as those in a transaction processing sys- 



The physical computer components are not modified by 20 tern, can also be principals. 



the present invention and are therefore not described in 
detail herein. 

For convenience of schematic representation, the 
computer's operating system 130 is shown in FIG. 2 as 
being stored in primary memory, but as will be under- 
stood by those skilled in the art, portions of the operat- 
ing system 130 are stored by the computer's virtual 
memory manager 120 in secondary memory when not 
in use. The operating system 130 includes a reference 



Objects can be files, processes, set of data su ch as 
tabl e oFctatabase, programs (e.g.. an interfac e program 
which governs nsej ojj lan-input/output device), and so 
on. In the preferred embodiment, the objects 136 to 
25 which access is govemed_by^the reference monitor 
program 132 on node 102-l arje^stored-in the computer 
at that node (other ajTangementsjnay_be. possible). Each 
object 136 mcludeTan^A ccess Control List (ACLH38 
which defines the set of " principals" who are autho- 



"p nn 

monitor 132 and authentication agent 134, both of 30 rized to access the object 136 . 

which are discussed in more detail below. "^Referring to FIG. 4, each node of the distributed 

Also shown in FIG. 2 is the (virtual) memory alio- system includes in its TCB an authentication agent 134. 

cated to two processes, Bl and B2, including applica- In the context of FIG. 4, we will consider the actions of 

tion programs as well as data structures and software the authentication agent 134 associated with process Al 

associated with the present invention. As will be under- 35 on node 102-2 sending a request to a server process Bl 

stood by those skilled in the art, while the memory on node 102-1. 

space allocated to these processes is shown for conve- Prior to the sending of any requests between two 

nience as being in primary memory, much of the mem- nodes, a secure channel 140 between the two nodes 

ory space allocated to each process will be stored by the must be established. One method of establishing a se- 

computer's virtual memory manager 120 in secondary 40 cure channel between two nodes is to have the two 

memory when not in use. nodes establish a host-to-host key that will be used both 

Referring to FIG. 3, one node 102-1 of the distributed to encrypt and decrypt all data packets transmitted 

system is shown in more detail. Each node must have a between the two nodes. Data packets in the preferred 

trusted computing base (TCB) 135, which is typically a embodiment are encrypted using a private key encryp- 

small amount of computer hardware and software that 45 tion methodology, such as DES CBC. 

security depends on and that is distinguished from the The prior art provides any number of mechanisms for 

remainder of the node, which can misbehave without distributing encryption keys in a network. One such 

affecting security. The TCB 135 includes a reference methodology developed at the Massachusetts Institute 

monitor program 132 (sometimes called the reference of Technology is known as KERBEROS. Other meth- 

monitor), which gathers the information needed to jus- 50 odologies are known as public key systems. In any case, 



tify an access control decision. The reference monitor 
program 132 runs within the address space of each 
process. The TCB 135 also includes an authentication 
agent 134, which in the present invention is a set of 
software in the computer's operating system that ex- 
changes credentials with the authentication agents of 
other nodes so as to authenticate the source of request 
messages. The authentication agent 134 also performs a 
number of related tasks to ensure that messages origi- 



in the context of the present invention, any two host 
computers that will transmit data packets therebetween 
must first agree on a "host-to-host" encryption key that 
will used to encrypt the secure portions of data packets 
55 transmitted between those two computers. Further- 
more, to ensure data integrity, a CRC error detection 
code is included in each data packet, usually at the end 
of the data packet, for detecting corrupted packets as 
well as for detecting packets that may have been tarn- 



nated by processes at its node are tagged or signed with 60 pered with in an attempt to break the system's security 



valid sender identification data, as will be described 
below. 

The TCB 135 does not include the storage devices 
from which data is retrieved nor the transmission chan- 
nels from which messages are received. This is because 65 
digitally signed messages can be fetched from unse- 
cured places without any loss of confidence that the 
signer actually sent it originally. The details of encryp- 



provisions. Therefore each packet received by a node's 
network controller 124 must be decrypted and error 
checked by a CRC (cyclic redundancy check) circuit 
before it can be used by the receiving host computer 
102. 

Once a secure channel 140 has been established, all 
data packets sent over the secure channel 140 by either 
node are routed through the sender's authentication 



resource^ 



access ovx^l 
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agent 134. The authentication agent 134 assigns a differ- 
ent virtual "subchannel" of the secure channel to each 
requester/server process pair for which a requester 
process on the authentication agent's node transmit data 
packets to a server process on the other node. Subchan- 
nels are similar to process-to-process communication 
channels found in traditional operating systems. For 
example the Internet Transmission Control Protocol 
provides a bi-directional connection between two pro- 
cesses. However* in the present invention subchannels 
are implemented on top of node-to-node secure chan- 
nels and authenticity guarantees can be made about the 
data which traverses them. Any given subchannel has 
two unique endpoints. The authentication agent at each 
endpoint guarantees the uniqueness of the endpoint it 
controls. Therefore, since an underlying node-to-node 
channel is implied, each endpoint can believe that all 
data received through the subchannel originated at the 
unique node and process associated with the other end- 
point of that subchannel. 

In the preferred embodiment, earh principal associ- 
ated with the node 10 2 is assigned a distinrt anthentica- 
tion identifier, herein called the Auth ID . Typically, the 
assignment of the Auth ID to a principal is performed at 



the sending and receiving proce sses. Therefore, directly 
or indirectly, the subchannel iield-t56 includes a chan- 
nel identifier. For instance, the subchannel field may 
contain a value used by the receiving node's network 
5 controller to determine which decryption key to use for 
decrypting the data packet. 

Local Auth ID Cache for Authentication Agent. 
When a request message is sent from a requester princi- 
pal to a server process, the authenticity of each request 
10 must be verified. The present invention modifies prior 
art authentication procedures by maintaining two typ es 
of "local caches" 160 and 164 (actually tables of data 
stored in memory) which identify requesters who se 
previous request messages were aumenticated. The 
15 j ocal cache lttu br the authentication agent lists the 
channel, subchannel and Auth ID of each principal 
from whom messages have been received. The record 
162 in the local cache 160 for each such principal also"" 
Includes a principal identifier, credentials received from 
20 the principal's host computer that authenticate the prin- 
cipal's messages, and a times tamp indicating a time limit 
on the validity of those credentials. 

When a message from a principal is authenticated, a 
set of several credentials are sent to authenticate the 
the time that the principal logs into the system. It is 25 message, include credentials authenticating the node, 
possible for a single process Al to do work on behalf of and credentials specific to the user. Each such creden- 
multiple principals, in which case each principal associ- tial has an associated time limit that limits the validity of 
ated with the process will be given a distinct Auth ID. that credential. When an authentication agent receives a 
Each node's authentication agent 134 maintains an set of credentials for a particular requester, it stores in 
Auth ID table 142, shown in FIG. 5A, which lists the 30 the corresponding record 162 a timestamp representing 



name of the principal and its assigned Auth- ID. Each 
record in the table would typically also include other 
information, such as the name of the process that the 
principal is logged onto. 

Each node's authentication agent 134 also maintains a 35 
Channel Assignment table 144, shown in FIG. 5B, 
which lists for each communication subchannel that has 
been assigned to a process, identifiers associated with 
the channel, subchannel, requester process and server 
process for which the subchannel is being used. 40 

Referring to FIG. 6, each data packet 146 transmitted 
between nodes includes items provided by the process 
sending the data packet, and at least one field whose 
value is provided by the authentication agent. In partic- 
ular, the requester process wj ll typically generate a da ta 45 
packet 146 that includes destination data 148. a field ISO 
containing the allege d AntftlD of the principal on 
whose behalf the datawcTSr%^6eing_sent. plusj rther 



the shortest duration time limit associated with the re- 
ceived credentials. That is, each received credential is 
delivered with a time limit (e.g., a datum indicating that 
the corresponding credential is valid for N seconds), 
and the authentication agent converts those time dura- 
tion limits into a time value to be compared during later 
attempts to use the record 162 with the computer's 
current time value (maintained by the computer in con- 
junction with its clock circuit 126). 

Local Auth ID Cache for Server Processes. Jnjhe^ 
preferred embodiment, each server process maintain s a 
local cache 164 in its own addre ss fip*^- A< ghmL ™ i n 
FIG. 8,_each record 166 of the server process Jocal 
c ache identifies a requester prin cipal from u/hnm ^. 
quest was previously receive^, the requester's Auth ID 
and the subchannel over which request messages from 
that requester have been received, a timestamp indicat- 
ing a time limit on the validity of the local cache entry, 
as well a list of the object ACL entries which the re- 



packet header data 152 and the packet body 154. The 

destination data 148, whether included in the data 50 quester principal is known to satisfy, 
packet or provided separately by the sending process, 
identifies the server node and process to which the data 
packet is being sent. For instance, the destination data 
148 may comprise a node identifier and a process identi- 
fier. 

The authentication agent adds a subchannel valu e 156 
tojhgAta packflt 1464hat corresponds to the requester 
and server processes. If no subchannel has previously 
been assigned to this pair of processes, a unique sub* 



55 



As mentioned before, each object has an associated 
access control list (ACL). Typically, each ACL 136 
contains a list of entries, each of which indicates th e 
type of ^access allo wed for a specified principa l. As 
shown in FIG. 



2 h£"\*n£S 



. 9, an object's ACL 136 consists of a set 
of entries 170 for each distinct type of access associated 
with the object. For instance, if an object is a set of data, 
it is possible or even likely that some principals might 
have only read access while other principals are al- 
channel value is assigned and a new entry is added to 60 lowed both read and write access. Each entry 170 de- 
the channel assignment table 144, and then the assigned fines one principal or compound principal who is autho- 
subchannel value is added to the data packet. If a sub- rized to access the object. 

channel has previously been previously been assigned to The concept of compound principals allows for virtu- 
this pair of processes, the assigned subchannel is ob- ally unlimited complexity in defining a requester or 
tained from the channel assignment table 144 and then 65 defining a party authorized to access an object. Corn- 
added to the data packet 146. pie subchannel value pound principals, and their use in computer access con- 
fi eld 156 uniquely identifies the secure channel o ver trol systems, are discussed extensively in pending patent 
which the packet will be sent, in addition to identifying applications Ser. No. 07/589,923, filed Sep. 28, 1990, 
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entitled Compound Principals in Access Control Lists, the requester's node checks the authenticity of the 
and Ser. No. 07/783,361, filed Oct. 28, 1991, entitled "channel, subchannel, Auth ID" values associated with 
Access Control Subsystem and Method for Distributed the request message. The first step of this checking 
Computer System Using Compound Principals, both of process is searching its channel assignment table 144 for 
which are hereby incorporated by reference. 5 the request process associated with the request mes- 
Authenticating Requests. Referring to the flow chart sage's channel and subchannel. The second step is 
in FIG. 10, whenever a request message is transmitted searching the Auth ID Table 142 to see if the specified 
to a server process at another node, the receiving node Auth ID value is assigned to a principal logged onto the \ ckociL ft <£€S"5 
identifies the requester in terms of the channel over process found in the channel assignment table 144. If the / i t , 
which the data packet was transmitted, plus the sub- 10 authentication agent determines that the "channel, sub- / f « ^^^S 
channel and Auth ID fields 156 and 150 in the data channel, Auth ID" values associated with the request ( <J 
packet. Note that the while subchannel field 156 in the message are valid, then it sends to the authentication 
preferred embodiment includes both channel and sub- agent in the server node the Principal ID for the re- 
channel values, in other embodiments the channel quester, plus the required credentials, using digital sign- 
might be identified in other ways, with the resulting 15 ing protocols well known to those skilled in the art, 
channel value being passed to the server process along thereby authenticating the request message (step 215). If 
with the received data packet. In either case, it is the the requester node authentication agent determines that 
responsibility of the server process to ensure that the the "channel, subchannel, Auth ID" values associated 
subchannel value in the received message corresponds with the request message are not valid, it sends a nega^ 
to the actual secure channel over which the request was 20 tiye acknowledgement (nak m essage) back to the server 
received. node's authentication agent, which will then void the 
In the preferred embod iment, the requester process request message. 
rpQ/jigCl't creates the -teqnest message (step 20Q) r ^cludin p an Upon receipt of the required credentials, the server 
' tc^yrc^ alleged Auth ID value and the authentication agent node's authentication agent stores the credentials in a 
adds the channel and subchannel information to the 25 record 162 in its local cache 160 and notifies the server 
corresponding data packet (step 202), based on the iden- process that the request message is authentic (step 212). 
tities of the requester and server processes between The server process then adds a record 166 to its local 
which the data packet is being transmitted, before trans- cache 164 for the requester associated with the now- 
mining the request message data packet to the node authenticated request message and proceeds with exe- 
associated with the requester server. Assuming that the 30 cutibn of the requested tasks (step 216). 
packet arrives uncorrupted at its specified destination Returning to step 206, if the requester is listed in the 
node, t he data packet is delive red into th e address spac e server's local cache l64, and the timestamplor th e 
3ot^C vnewvevy ' of ^ specified server process (ste n-204). for example r equester ind raft s ***** pcMrinnriy r^^d^dT n. 

f process BI of node 102-1. The server p rocess Bl then ti alsTor this requester are still valid, the server proce ss 
checks its lo cal cache 164 to see there is already an 35 proceeds with Mewtrlftn; nt the re quested tasks { step 
entry for the requester, as identified by thej ^channel, 218). During execution of these tasks, if the server pro- 
s ubchannel, Auth ID" ' values associateo with the re- cess successfully gains access to any objects on behalf of 
c eived data packet (step 206). the requester, t he ACL entries satisfieoLh y the requester 
A IVm If the requesters not listed in the_s ewe r -'fi l ocal cache ar e added by tEe server process to "thereq uester?s re- f A 
T 164 L or if the entry 166 for the requester is no long valid 40 CQrg jnjhe server process's local ca che (step_220UThe ^Cparc^ ACT 
(as determined by comparing the timestamp value in the st orage of ACL entrie s know n to be satisfied by a p ar- 
entry 166 with a current time value (maintained by the ticuiarj req uester in tft e'ftep^r'ff Ircalvaghc can hejjgfd [ i 
computer in conjunction with its clock circuit 126), b v-thTsery rT^ p"v^«s^to, gxpedite grant ing access to 

then the server prncess requests the authorization agent previously accessed objected ' 

134 for its rtndetn authenticate f fre request messa ge 45 The authentication agent 143 for each node will peri- 
(stepJQ?). Since the authentication agent 134 for the odically check its local cache 160 for records with ex- 
server's node may already have received credentials for pired credentials, so that such records can be deleted, 
t hy requester in a previous transaction, it lookT for a along with the corresponding records in the server 
jL V¥ \y\y\ 3 r ^ cord m its j 00 ^ , cache matching the requestex -mes=- process local caches. 

sage s cnannel, subchannel and A uth ID (step 210] . If 50 While the present invention has been described with 

the autnentication agent's local cache 160 contains a reference to a few specific embodiments, the descrip- 

r ecord matching the channel, subchannel, and subchan - tion is illustrative of the invention and is not to be con- 

nel associated with the received message, and the tim es- strued as limiting the invention. Various modifications 

t amp value indicates that the record 162 for the r e- may occur to those skilled in the art without departing 

q uester is still valid, that means the request messag e is 55 from the true spirit and scope of the invention as defined 

"pre-autnemcated", in which cas e the authen tication by the appended claims. It should be noted that the 

agent notifies the server process that the reque st mes- authentication agent can be considered to be an abstrac- 

T-Uer; ""^r sa ge_is authentic istep^ziz) ancf passesjc^ theserver tion representing various portions of an operating sys- 

I T . , / p rocess the timestamp and (optionally) t fte Principal ID tern, or even various secure programs, such as trusted 

feafl J- p te' f for the reques ter. By including the Principal ID of the 60 applications, that run on top of the operating system, 

requester in the server process' local cache 164, access- that performs the security functions of the above de- 

ing objects using the requester's Principal ID is made scribed invention, 

more efficient. What is claimed is: 

. If the requester's AuthJD in not fo und in the authen- 1. In a distributed computer system having a multi- 

/}&*r ^W/^^t t ication agent's local cache 160, then the authenticati on 65 plicity of interconnected computers, security apparatus 

^ a gent sends a request to the authentication agent of the comprising: 

requesters node for credentials to authenticate the re- a plurality of processes, each process running on one 

quest message (step 214). 1 ne authentication agent of of said multiplicity of computers, said plurality of 
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processes including requester processes and server 
processes; 

secure channels connecting ones of said multiplicity 
of computers on which respective ones of said 
requester processes are running to second ones of 5 
said multiplicity of computers on which respective 
ones of said server processes are running; and 

a multiplicity of authenticating agents, each running 
in a trusted computing base on a different one of 
said multiplicity of interconnected computers; 10 

one of said multiplicity of authenticating agents, run- 
ning on one of said multiplicity of computers hav- 
ing at least one server process running thereon, 
including: 

local cache means for maintaining data identifying 15 
previously authenticated requests from ones of 
said requester processes running on other ones of 
said multiplicity of interconnected computers; 
and 

received request authenticating means for authenti- 20 
eating, on behalf of said at least one server pro- 
cess, a received request when data in said re- 
ceived request match said data maintained by 
said local cache means, for obtaining credentials 
authenticating said received request when said 25 
first data in said received request does not match 
said data maintained by said local cache means, 
and for enabling said at least one server process 
to process said received request only after said 
received request has been authenticated. 30 

2. The security apparatus of claim 1, wherein 

each requester process includes means for generating 
a request and for initiating transmission of said 
request over one of said secure channels to a speci- 
fied one of said server processes; and 35 
each server process includes 
cache means for maintaining its own local cache of 
data identifying previously authenticated re- 
quests received by said server process; and 
local authenticating means for authenticating a 40 ' 
received request when said first data in said re- 
ceived request matches said data maintained by 
its own cache means, and for requesting authen- 
tication of said received request by said authenti- 
cation agent running on the same computer as 45 
said server process when said data in said re- 
ceived request does not match said data main- 
tained by its own cache means. 

3. The security apparatus of claim 1, wherein 

said local cache means includes means for time limit- 50 
ing validity of said data identifying previously au- 
thenticated requests; 

said received request authenticating means including 
means for not matching data in said received re- 
quest match with invalid data in said local cache 55 
means. 

4. In a distributed computer system having a multi- 
plicity of interconnected computers, security apparatus 
comprising: 

a plurality of processes, each process running on one 60 
of said multiplicity of computers, said plurality of 
processes including requester processes and server 
processes; 

secure channels connecting first ones of said multi- 
plicity of computers on which respective ones of 65 
said requester processes are running to second ones 
of said multiplicity of computers on which respec- 
tive ones of said server processes are running; 
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a plurality of authenticating agents, each running in a 
trusted computing base on a different one of said 
multiplicity of interconnected computers; 

each requester process including means for generat- 
ing a request and for initiating transmission of said 
request over one of said secure channels to a speci- 
fied one of said server processes, said request in- 
cluding a first datum allegedly identifying a princi- 
pal associated with said requester process; 

each authenticating agent running on one of said 
multiplicity of interconnected computers having at 
least one requester process running thereon includ- 
ing: 

request processing means for adding a second 
datum to each request generated by a requester 
process running on the same one of said multi- 
plicity of computers as said authenticating agent, 
wherein said second datum uniquely corre- 
sponds to said originating requester process; and 
request authenticating means for authenticating 
that the first datum and second datum in a previ- 
ously sent request are valid; 
each authenticating agent running on one of said 
multiplicity of interconnected computers having at 
least one server process running thereon including: 
local cache means for maintaining data indicating 
said first datum and second datum in previously 
authenticated requests; and 
received request authenticating means for (A) au- 
thenticating, on behalf of said at least one server 
process, a received request when said first datum 
and second datum in said received request match 
said data maintained by said local cache means, 
(B) obtaining authentication of said received 
request from said authenticating agent running 
on the same computer as the requester process 
that sent said received request when said first 
datum and second datum in said received request 
do not match said data maintained by said local 
cache means, and (C) enabling said at least one 
server process to process said received request 
only after said received request has been authen- 
ticated. 

5. The security apparatus of claim 4, wherein 
each server process includes 

cache means for maintaining its own local cache of 
data indicating said first datum and second 
datum in previously authenticated requests re- 
ceived by said server process; and 

local authenticating means for authenticating a 
received request when said first datum and sec- 
ond datum in said received request match said 
data maintained by its own cache means, and for 
requesting authentication of said received re- 
quest by said authentication agent running on the 
same computer as said server process when said 
first datum and second datum in said received 
request do not match said data maintained by its 
own cache means. 

6. The security apparatus of claim 4, wherein 

said local cache means includes means for time limit- 
ing validity of said data identifying previously au- 
thenticated requests; 

said received request authenticating means including 
means for not matching data in said received re- 
quest match with invalid data in said local cache 
means. 
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7. A method of operating a distributed computer 
system having a multiplicity of interconnected comput- 
ers, the steps of the method comprising: 
running requester processes on at least a first subset of 
said multiplicity of computers and running server S 
on at least a second subset of said multiplicity of 
computers; 

interconnecting with secure channels first ones of 
said multiplicity of computers on which respective 
ones of said requester processes are running to 10 
second ones of said multiplicity of computers on 
which respective ones of said server processes are 
running; 

establishing authenticating agents within a trusted 
computing base on each one of said multiplicity of 15 
computers; 

said requester processes each generating requests and 
initiating transmission of said requests over ones of 
said secure channels to specified ones of said server 
processes, said requests each including a first 20 
datum allegedly identifying a principal associated 
with said each requester process; 

said authenticating agents adding to each request 
generated by said requester processes a second 
datum uniquely corresponding to the one of said 25 
requester processes which generated said each 
request; and 

those of said authenticating agents established on 
ones of said multiplicity of computers having at 
least one server process running thereon (A) main- 30 
taining a local cache of data indicating said first 
datum and second datum in previously authenti- 
cated requests received by said at least one server 
process, and (B) authenticating, on behalf of said at 
least one server process, a received request when 35 
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said first datum and second datum in said received 
request match said data in said local cache, (C) 
obtaining authentication of said received request, 
from said authenticating agent established on the 
computer running the requester process that sent 
said received request, when said first datum and 
second datum in said received request do not 
match said data maintained by said local cache 
means, and (D) for enabling said at least one server 
process to process said received request only after 
said received request has been authenticated. 

8. The method of claim 7, 

each server process maintaining its own local cache 
of data indicating said first datum and second 
datum in previously authenticated requests re- 
ceived by said server process; and 

each server process self-authenticating a received 
request when said first datum and second datum in 
said received request match said data maintained 
by its own cache means, and requesting authentica- 
tion of said received request by said authentication 
agent running on the same computer as said server 
process when said first datum and second datum in 
said received request do not match said data main- 
tained by its own cache means. 

9. The method of claim 7, 

said authentication agents time limiting validity of 
said data maintained in said local cache for each 
said previously authenticated request; 

said authentication agents for not authenticating, on 
behalf of said at least one server process, a received 
request when said first datum and second datum in 
said received request match invalid data in said 
local cache. 

***** 
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